RealTime IT News

Feds Failed to Warn on Flawed E-Vote Lab

The Election Assistance Commission (EAC), which is responsible for accrediting testing labs that inspect electronic voting machines, failed to notify local officials that it has refused to accredit Ciber, which tests the software for most of the electronic voting systems currently in use.

Ciber was allowed to certify software patches, such as the ones that fix problems that surfaced in the run-up to November's mid-term elections, notably in Maryland, where e-poll book devices caused havoc during the 2006 primaries.

Officials in California and other states also relied on a report from Ciber that dismissed concerns raised by computer experts who demonstrated security flaws in electronic voting machines.

Local election officials were not made aware of Ciber's status, however, reinforcing claims by election integrity activists that the EAC is more concerned with protecting voting machine vendors than the rights of the electorate.

In testimony given to the House of Representatives on July 19, 2006, EAC Commissioner Donetta Davidson noted that her agency had enacted "a certifying process for the first time," but made no mention of Ciber at the hearing.

The initial assessment of Ciber was completed on July 20.

Davidson also testified that the EAC will "maintain a register of accredited labs and post this information on its Web site to fully inform the public about this important process."

But the relevant Web page has no information or working links under such headings as "EAC Fully Accredited Laboratories," "EAC Denials of Certification" or "EAC Decertification Actions."

The fact that the EAC has not re-certified Ciber was not disclosed until an article published by the New York Times brought the issue to light on Thursday.

Warren Stewart, policy director of Vote Trust USA, a non-profit election integrity group, said he was "stunned" by the revelation. "I'm almost speechless about it."

He said that the fact that the EAC chose not to reveal this information "underlines the whole problem with having voting machines certified as a private-sector transaction. This makes it clear that we need a fully independent testing authority funded by the federal government," he told internetnews.com.

EAC spokeswoman Jeannie Layson said the fact that Ciber has not been re-certified demonstrates that the oversight process is working.

"I don't think it's correct to say we 'decertified' Ciber," she continued. "They applied for interim certification and have not received it due to the [flawed processes] cited in the [New York Times] article."

Layson said the EAC has not made any public announcement about Ciber because the certification process is not yet completed.

"We are still in the process of making the determination whether they will receive interim accreditation, and when that determination is made we will certainly make that info public, just as we did with the other two labs," she wrote in an e-mail.

Ciber, which is based in Greenwood Village, Colo., was re-assessed on Dec. 5 and Dec. 6 and has still not received interim certification.

Stewart said this attitude demonstrates that "the EAC is being too deferential to the interests of the voting-machine industry and is not concerned enough with the primary stakeholder in elections, which is the American voters."

Officials from Ciber did not return a call requesting comment.

According to this page on the EAC Web site, the interim accreditation is valid until Jan. 1, 2008. The page also lists the two labs that have been accredited so far: SysTest Labs of Denver, Colo., and Wyle Laboratories of Huntsville, Ala. (which is accredited for hardware testing only).

According to Jan Kosko of the National Institute of Standards and Technology (NIST), five labs are seeking accreditation as potential voting system testing laboratories through the NIST's National Voluntary Laboratory Accreditation Process.